System and method for content protection based on a combination of a user PIN and a device specific identifier
Abstract
Disclosed herein are systems, methods, and non-transitory computer-readable storage media for encryption and key management. The method includes encrypting each file on a computing device with a unique file encryption key, encrypting each unique file encryption key with a corresponding class encryption key, and encrypting each class encryption key with an additional encryption key. Further disclosed are systems, methods, and non-transitory computer-readable storage media for encrypting a credential key chain. The method includes encrypting each credential on a computing device with a unique credential encryption key, encrypting each unique credential encryption key with a corresponding credential class encryption key, and encrypting each class encryption key with an additional encryption key. Additionally, a method of generating a cryptographic key based on a user-entered password and a device-specific identifier secret utilizing an encryption algorithm is disclosed.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A method for generating a master key for accessing content stored by a computing device, the method comprising:
at a hardware module included in the computing device, wherein the hardware module is separate and distinct from a processor included in the computing device and is communicably coupled to the processor:
receiving, from the processor, a request to generate the master key, wherein the request includes biometric data associated with a user of the computing device;
accessing an identifier that is unique to the computing device, wherein the identifier is directly accessible only to the hardware module within the computing device, and is stored by the hardware module in a manner that prevents software executing by way of the processor from directly accessing the identifier;
combining the biometric data and the identifier to produce a combined value;
carrying out an iterative function on the combined value to produce the master key, wherein a number of iterations associated with the iterative function is based on a selected security level; and
providing the master key to the processor, wherein the master key is utilized by the processor to access the content.
2. The method of claim 1 , further comprising:
receiving an indication of the security level.
3. The method of claim 1 , wherein the identifier is indirectly-accessible to the processor via the hardware module.
4. The method of claim 1 , wherein the request specifies a number of iterations to be performed on the combined value by the iterative function.
5. The method of claim 4 , wherein the iterative function includes a Password-Based Key Derivation Function 2 (PBKDF2).
6. The method of claim 4 , wherein the iterative function includes a Hash-based Message Authentication Code Secure Hash Algorithm 1 (HMAC-SHA1).
7. The method of claim 1 , wherein the identifier is larger in size than the biometric data.
8. A non-transitory computer readable storage medium configured to store instructions that, when executed by a hardware module included in a computing device, cause the hardware module to generate a master key for accessing content managed by the computing device, by carrying out steps that include:
receiving, from a processor included in the computing device, a request to generate the master key, wherein:
the request includes biometric data associated with a user of the computing device,
the processor is separate and distinct from the hardware module, and
the processor is communicably coupled to the hardware module;
accessing an identifier that is unique to the computing device, wherein the identifier is directly accessible only to the hardware module within the computing device, and is stored by the hardware module in a manner that prevents software executing by way of the processor from directly accessing the identifier;
combining the biometric data and the identifier to produce a combined value;
carrying out an iterative function on the combined value to produce the master key, wherein a number of iterations associated with the iterative function is based on a selected security level; and
providing the master key to the processor, wherein the master key is utilized by the processor to access the content.
9. The non-transitory computer readable storage medium of claim 8 , wherein the steps further include:
receiving an indication of the security level.
10. The non-transitory computer readable storage medium of claim 8 , wherein the steps further include:
providing the master key to the processor for accessing content stored on the computing device.
11. The non-transitory computer readable storage medium of claim 8 , wherein the identifier is indirectly-accessible to the processor via the hardware module.
12. The non-transitory computer readable storage medium of claim 8 , wherein the request specifies a number of iterations to be performed on the combined value by the iterative function.
13. The non-transitory computer readable storage medium of claim 12 , wherein the iterative function includes a Password-Based Key Derivation Function 2 (PBKDF2).
14. The non-transitory computer readable storage medium of claim 12 , wherein the iterative function includes a Hash-based Message Authentication Code Secure Hash Algorithm 1 (HMAC-SHA1).
15. A computing device configured to generate a master key for accessing content, the computing device comprising:
a memory that stores the content;
a processor, wherein the processor is configured to:
receive a first request to access the content, wherein the first request includes biometric data associated with a user of the computing device, and
issue, to a hardware module included in the computing device, a second request to generate the master key based (i) on the biometric data, and (ii) an identifier that is unique to the computing device, wherein the identifier is directly accessible only to the hardware module within the computing device, and is stored by the hardware module in a manner that prevents software executing by way of the processor from directly accessing the identifier; and
the hardware module, wherein the hardware module is separate and distinct from the processor and is configured to:
receive, from the processor, the second request,
access the identifier stored by the hardware module,
combine the biometric data and the identifier to produce a combined value;
carry out an iterative function on the combined value to produce the master key, wherein a number of iterations associated with the iterative function is based on a selected security level; and
provide the master key to the processor, wherein the master key is utilized by the processor to access the content.
16. The computing device of claim 15 , wherein the processor is further configured to:
receive an indication of the security level.
17. The computing device of claim 15 , wherein:
the hardware module is further configured to provide the master key to the processor, and
the processor is further configured to access the content using the master key.
18. The computing device of claim 15 , wherein the identifier is indirectly-accessible to the processor via the hardware module.
19. The computing device of claim 15 , wherein the second request specifies a number of iterations to be performed on the combined value by the iterative function.
20. The computing device of claim 15 , wherein the identifier is larger in size than the biometric data.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.